On 05/24, Benny Pedersen wrote: > reject spf_softfail in mta, or report to http://www.dnswl.org/
SPF_SOFTFAIL kind of sucks: http://ruleqa.spamassassin.org/?daterev=20120519-r1340375-n&rule=%2Fspf MSECS SPAM% HAM% S/O RANK SCORE NAME WHO/AGE 0 3.2640 27.9430 0.105 0.67 0.00 SPF_PASS 0 6.3320 0.6518 0.907 0.58 0.00 SPF_SOFTFAIL 0 4.0263 1.1272 0.781 0.50 0.00 SPF_NEUTRAL 0 0 0 0.500 0.50 0.00 SPF_NONE 0 1.7415 1.6254 0.517 0.39 0.00 SPF_FAIL SPF_SOFTFAIL hits 6.3% of spam and 0.7% of ham, which is a pretty terrible ratio, which gives it a rank of 0.58, where 1 is best (RCVD_IN_DNSWL_HI, in fact), and 0 is worst. A rank of 0.58 sucks. Therefore rejecting on it at your MTA is a bad idea. But it's your MTA. I've done lots of things with my MTA on purpose that were a bad idea. > (why > did thay list a dynamic ip ?) I don't think they did. > if sender is legit why is it softfailing ? Generally because people configure their SPF records badly. SOFTFAIL *means* the sending domain isn't certain they have all their legit sending IPs listed. So based on the protocol it's also inappropriate to use for absolute blocking. (In addition to the real world statistics above.) It's unfortunate. -- "Wash daily from nose-tip to tail-tip; drink deeply, but never too deep; And remember the night is for hunting, and forget not the day is for sleep." - The Law of the Jungle, Rudyard Kipling http://www.ChaosReigns.com
